Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MOSIP-36642: Different error code and messages and unable to upload l… #322

Merged
merged 2 commits into from
Nov 13, 2024
+72 −26
Merged

MOSIP-36642: Different error code and messages and unable to upload l… #322

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f1faaea
MOSIP-36642: Different error code and messages and unable to upload l…
nagendra0721 Nov 7, 2024
f0ce723
Merge branch 'develop' into pmsErrCodeLessthan1yr
mahammedtaheer Nov 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ...in/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerErrorConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ public enum PartnerCertManagerErrorConstants {
SELF_SIGNED_CERT_NOT_ALLOWED("KER-PCM-015", "Self Signed Certificate not allowed as partner."),

SIGN_CERT_NOT_ALLOWED("KER-PCM-016", "Sign Certificate not allowed for the authenticated token."),

CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED("KER-PCM-017","The CA Certificate validity is less than required minimum validity."),
;

/**
Expand Down
84 changes: 58 additions & 26 deletions ...io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,9 @@ public class PartnerCertificateManagerServiceImpl implements PartnerCertificateM
@Value("${mosip.kernel.partner.truststore.cache.disable:false}")
private boolean disableTrustStoreCache;

@Value("${mosip.kernel.partner.cacertificate.upload.minimumvalidity.month:12}")
private int minValidity;


/**
* Utility to generate Metadata
Expand Down Expand Up @@ -177,40 +180,17 @@ public CACertificateResponseDto uploadCACertificate(CACertificateRequestDto caCe
int certsCount = certList.size();
LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
PartnerCertManagerConstants.EMPTY, "Number of Certificates inputed: " + certsCount);

String partnerDomain = validateAllowedDomains(caCertRequestDto.getPartnerDomain());
boolean foundError = false;
boolean uploadedCert = false;
for(Certificate cert : certList) {
X509Certificate reqX509Cert = (X509Certificate) cert;

String certThumbprint = PartnerCertificateManagerUtil.getCertificateThumbprint(reqX509Cert);
boolean certExist = certDBHelper.isCertificateExist(certThumbprint, partnerDomain);
if (certExist) {
LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
PartnerCertManagerConstants.EMPTY, "CA/sub-CA certificate already exists in Store.");
if (certsCount == 1) {
throw new PartnerCertManagerException(
PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorCode(),
PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorMessage());
}
foundError = true;
continue;
}

boolean validDates = PartnerCertificateManagerUtil.isCertificateDatesValid(reqX509Cert);
if (!validDates) {
LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
PartnerCertManagerConstants.EMPTY, "Certificate Dates are not valid.");
if(certsCount == 1) {
throw new PartnerCertManagerException(
PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorCode(),
PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorMessage());
}
foundError = true;
continue;
}

foundError = validateBasicCaCertificateParams(reqX509Cert, certThumbprint, certsCount, partnerDomain);

String certSubject = PartnerCertificateManagerUtil
.formatCertificateDN(reqX509Cert.getSubjectX500Principal().getName());
String certIssuer = PartnerCertificateManagerUtil
Expand Down Expand Up @@ -465,6 +445,58 @@ private void validateBasicPartnerCertParams(X509Certificate reqX509Cert, String
}
}

private boolean validateBasicCaCertificateParams(X509Certificate reqX509Cert, String certThumbprint, int certsCount,
String partnerDomain) {
boolean foundError = false;
boolean certExist = certDBHelper.isCertificateExist(certThumbprint, partnerDomain);
if (certExist) {
LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
PartnerCertManagerConstants.EMPTY, "CA/sub-CA certificate already exists in Store.");
if (certsCount == 1) {
throw new PartnerCertManagerException(
PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorCode(),
PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorMessage());
}
foundError = true;
}

boolean validDates = PartnerCertificateManagerUtil.isCertificateDatesValid(reqX509Cert);
if (!validDates) {
LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
PartnerCertManagerConstants.EMPTY, "Certificate Dates are not valid.");
if(certsCount == 1) {
throw new PartnerCertManagerException(
PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorCode(),
PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorMessage());
}
foundError = true;
}

boolean minimumValidity = PartnerCertificateManagerUtil.isMinValidityCertificate(reqX509Cert, minValidity);
if(!minimumValidity) {
LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
PartnerCertManagerConstants.EMPTY, "Certificate expire before the minimum validity.");
if (certsCount == 1) {
throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorCode(),
PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorMessage());
}
foundError = true;
}

int certVersion = reqX509Cert.getVersion();
if (certVersion != 3) {
LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT,
PartnerCertManagerConstants.EMPTY,
"CA Certificate version not valid, the version has to be V3");
if (certsCount == 1){
throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERT_VERSION.getErrorCode(),
PartnerCertManagerErrorConstants.INVALID_CERT_VERSION.getErrorMessage());
}
foundError = true;
}
return foundError;
}

private void validateOtherPartnerCertParams(X509Certificate reqX509Cert, String reqOrgName) {
int certVersion = reqX509Cert.getVersion();
if (certVersion != 3) {
Expand Down
12 changes: 12 additions & 0 deletions .../src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,18 @@ public static boolean isSelfSignedCertificate(X509Certificate x509Cert) {
return false;
}

public static boolean isMinValidityCertificate(X509Certificate x509Certificate, int minimumValidity) {
try {
LocalDateTime timeStamp = DateUtils.getUTCCurrentDateTime().plusMonths(minimumValidity);
LocalDateTime expiredate = x509Certificate.getNotAfter().toInstant().atZone(ZoneId.of("UTC")).toLocalDateTime();
return !expiredate.isBefore(timeStamp);
} catch (Exception exp) {
LOGGER.debug(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
PartnerCertManagerConstants.PCM_UTIL, "Error minimum Validity of Certificate: " + exp.getMessage());
return false;
}
}

/**
* Function to format X500Principal of certificate.
*
Expand Down
Loading